Merge dev into main (#159)

BREAKING CHANGE: Changed to Ubuntu 22.04 instead of Alpine Linux for the docker image. feat(VPN): add the ability to change to wireguard verses running openvpn feat(upstream): pull in changes from haugene/docker-transmission-openvpn feat(Dockerfile): update OPENVPN_OPTS to execute update-resolv-conf to prevent DNS leaks by default feat(image): add two scripts (bash/python) to test if DNS is leaking fix(s6): ensure proper boot order of services and make sure OpenVPN service is actually up fix(workflows): restrict permissions and update all actions fix(multi-arch): arm64 should actually work now with s6 binaries being installed Signed-off-by: Jonathan Sloan <jsloan117@gmail.com>
jsloan117 · Oct 6, 2023 · 0109942 · 0109942
1 parent 4ff2be2
commit 0109942
Show file tree

Hide file tree

Showing 54 changed files with 1,483 additions and 606 deletions.
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -8,6 +8,7 @@ on:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       # https://github.com/marketplace/actions/delete-untagged
       - name: Delete Untagged
@@ -16,3 +17,4 @@ jobs:
           github-token: ${{ secrets.PKG_CLEANUP_KEY }}
           personal-account: true
           repository: ${{ github.repository }}
+
diff --git a/.github/workflows/devimages.yml b/.github/workflows/devimages.yml
@@ -7,10 +7,15 @@ on:
   push:
     branches:
       - dev
-    paths-ignore:
-      - '**.md'
-      - mkdocs.yml
-      - .github/workflows/mkdocs.yml
+    paths:
+      - etc/**
+      - openvpn/**
+      - scripts/**
+      - Dockerfile
+      - Dockerfile.*
+      - '!**.md'
+      - '!mkdocs.yml'
+      - '!.github/workflows/mkdocs.yml'
 
 env:
   IMAGE_NAME: jsloan117/docker-openvpn-client
@@ -21,12 +26,17 @@ concurrency:
 
 jobs:
   scan:
+    name: vulnerability scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # dependency submission API
+      security-events: write # upload sarif report to Github
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
         uses: actions/checkout@v4
 
+      # https://github.com/marketplace/actions/docker-metadata-action
       - name: Docker Metadata
         uses: docker/metadata-action@v5.0.0
         id: meta
@@ -48,20 +58,22 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           push: false
           load: true
+          cache-from: type=gha,scope=${{ github.workflow}}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow}}
 
       # https://github.com/marketplace/actions/anchore-sbom-action
       - name: Anchore SBOM Action
         uses: anchore/sbom-action@v0.14.3
         with:
           image: ${{ steps.meta.outputs.tags }}
+          dependency-snapshot: true
 
       # https://github.com/marketplace/actions/anchore-container-scan
       - name: Anchore Container Scan
         uses: anchore/scan-action@v3.3.6
         id: scan
         with:
           image: ${{ steps.meta.outputs.tags }}
-          acs-report-enable: true
           fail-build: true
           severity-cutoff: critical
 
@@ -90,11 +102,14 @@ jobs:
   build-push:
     runs-on: ubuntu-latest
     needs: scan
+    permissions:
+      packages: write # push image to ghcr
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
         uses: actions/checkout@v4
 
+      # https://github.com/marketplace/actions/cosign-installer
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.1.2
 
@@ -140,38 +155,45 @@ jobs:
       # https://github.com/marketplace/actions/build-and-push-docker-images
       - name: Build and push
         uses: docker/build-push-action@v5.0.0
+        id: build
         with:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
             VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
             REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          provenance: true
+          sbom: true
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ github.workflow}}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow}}
 
       - name: Sign Image
         run: |
-          printf '%s' "${COSIGN_KEY}" > cosign.key && \
-          COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key \
+          cosign sign -y --key env://COSIGN_KEY --recursive \
             -a "repo=${{ github.repository }}" \
             -a "workflow=${{ github.workflow }}" \
             -a "ref=${{ github.sha }}" \
-            -a "ref=${{ github.ref_name }}" ${TAGS}
-          [[ -f cosign.key ]] && rm -fv cosign.key
+            -a "ref=${{ github.ref_name }}" \
+            ${{ env.IMAGE_NAME }}@${DIGEST} \
+            ghcr.io/${{ env.IMAGE_NAME }}@${DIGEST}
         env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          DIGEST: ${{ steps.build.outputs.digest }}
+          COSIGN_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Verify Image
         run: |
           printf '%s' "${COSIGN_PUBLIC_KEY}" > cosign.pub && \
-          cosign verify --key cosign.pub ${TAGS} | jq
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+          ${{ env.IMAGE_NAME }}@${DIGEST} \
+          ghcr.io/${{ env.IMAGE_NAME }}@${DIGEST} | jq
         env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          COSIGN_PUBLIC_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}
+          DIGEST: ${{ steps.build.outputs.digest }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
 
       # https://github.com/marketplace/actions/upload-a-build-artifact
       - name: Upload public key
@@ -180,3 +202,4 @@ jobs:
           name: cosign.pub
           path: cosign.pub
           if-no-files-found: warn
+
diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
@@ -13,6 +13,7 @@ jobs:
   dockerHubDescription:
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
@@ -25,3 +26,4 @@ jobs:
           username: jsloan117
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           short-description: ${{ github.event.repository.description }}
+
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
@@ -20,19 +20,26 @@ concurrency:
 
 jobs:
   scan:
+    name: vulnerability scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # dependency submission API
+      security-events: write # upload sarif report to Github
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
         uses: actions/checkout@v4
 
+      # https://github.com/marketplace/actions/docker-metadata-action
       - name: Docker Metadata
         uses: docker/metadata-action@v5.0.0
         id: meta
         with:
           images: ${{ env.IMAGE_NAME }}
           flavor: latest=false
-          tags: type=ref,event=tag
+          tags: |
+            type=ref,event=tag
+            type=schedule,pattern={{date 'YYYYMMDD'}}
 
       # https://github.com/marketplace/actions/docker-setup-buildx
       - name: Set up Docker Buildx
@@ -48,20 +55,22 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           push: false
           load: true
+          cache-from: type=gha,scope=${{ github.workflow}}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow}}
 
       # https://github.com/marketplace/actions/anchore-sbom-action
       - name: Anchore SBOM Action
         uses: anchore/sbom-action@v0.14.3
         with:
           image: ${{ steps.meta.outputs.tags }}
+          dependency-snapshot: true
 
       # https://github.com/marketplace/actions/anchore-container-scan
       - name: Anchore Container Scan
         uses: anchore/scan-action@v3.3.6
         id: scan
         with:
           image: ${{ steps.meta.outputs.tags }}
-          acs-report-enable: true
           fail-build: true
           severity-cutoff: critical
 
@@ -90,11 +99,14 @@ jobs:
   build-push:
     runs-on: ubuntu-latest
     needs: scan
+    permissions:
+      packages: write # push image to ghcr
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
         uses: actions/checkout@v4
 
+      # https://github.com/marketplace/actions/cosign-installer
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.1.2
 
@@ -122,7 +134,6 @@ jobs:
       # https://github.com/marketplace/actions/docker-setup-buildx
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.0.0
-        id: buildx
         with:
           install: true
           version: latest
@@ -147,38 +158,43 @@ jobs:
       # https://github.com/marketplace/actions/build-and-push-docker-images
       - name: Build and push
         uses: docker/build-push-action@v5.0.0
+        id: build
         with:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
             VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
             REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ github.workflow}}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow}}
 
       - name: Sign Image
         run: |
-          printf '%s' "${COSIGN_KEY}" > cosign.key && \
-          COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key \
+          cosign sign -y --key env://COSIGN_KEY --recursive \
             -a "repo=${{ github.repository }}" \
             -a "workflow=${{ github.workflow }}" \
             -a "ref=${{ github.sha }}" \
-            -a "ref=${{ github.ref_name }}" ${TAGS}
-          [[ -f cosign.key ]] && rm -fv cosign.key
+            -a "ref=${{ github.ref_name }}" \
+            ${{ env.IMAGE_NAME }}@${DIGEST} \
+            ghcr.io/${{ env.IMAGE_NAME }}@${DIGEST}
         env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          COSIGN_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          DIGEST: ${{ steps.build.outputs.digest }}
+          COSIGN_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Verify Image
         run: |
           printf '%s' "${COSIGN_PUBLIC_KEY}" > cosign.pub && \
-          cosign verify --key cosign.pub ${TAGS} | jq
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+          ${{ env.IMAGE_NAME }}@${DIGEST} \
+          ghcr.io/${{ env.IMAGE_NAME }}@${DIGEST} | jq
         env:
-          TAGS: ${{ steps.meta.outputs.tags }}
-          COSIGN_PUBLIC_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}
+          DIGEST: ${{ steps.build.outputs.digest }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
 
       # https://github.com/marketplace/actions/upload-a-build-artifact
       - name: Upload public key
@@ -187,3 +203,4 @@ jobs:
           name: cosign.pub
           path: cosign.pub
           if-no-files-found: warn
+
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -7,9 +7,13 @@ on:
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       # https://github.com/marketplace/actions/labeler
       - name: Label PRs
         uses: actions/labeler@v4
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -9,14 +9,16 @@ on:
       - '**.md'
       - mkdocs.yml
       - .github/workflows/mkdocs.yml
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  mkdocs:
+  build:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       # https://github.com/marketplace/actions/checkout
       - name: Checkout
@@ -26,25 +28,38 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.9'
-
-      - run: pip install wheel
+          python-version: '3.10'
 
       - name: Install MkDocs and deps
         run: |
+          pip install wheel
           pip install mkdocs mkdocs-material mkdocs-material-extensions \
           mkdocs-minify-plugin mkdocs-redirects pygments pymdown-extensions
 
       - name: Build docs
         run: mkdocs build -vcs
 
-      # https://github.com/marketplace/actions/github-pages-action
-      - name: Deploy
-        if: success() && github.event_name != 'pull_request'
-        uses: peaceiris/actions-gh-pages@v3.9.2
+      # https://github.com/marketplace/actions/upload-github-pages-artifact
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v2
         with:
-          force_orphan: true
-          full_commit_message: Deployed ${{ github.sha }} to gh-pages [skip ci]
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_branch: gh-pages
-          publish_dir: ./site
+          path: ./site
+          retention-days: 1
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+    # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#contents
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      # https://github.com/marketplace/actions/deploy-github-pages-site
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v2
+